fix(web): allow relay-backup origin in CSP connect-src

[saddlepaddle]

Summary

• Adds wss://relay-backup.superset.sh and https://relay-backup.superset.sh to the web app's CSP connect-src.

Why

The relay URL can be overridden to the backup relay via the relay-url-override PostHog flag (the same failover mechanism the desktop uses). The desktop already whitelists relay-backup.superset.sh in its CSP; the web app's production CSP has no blanket ws:/wss:, so both the WebSocket and HTTPS origins must be listed explicitly or a failover connection is blocked.

Testing

• bun run lint — clean
• bun run typecheck — clean (28/28)

---

---

Summary by cubic

Add relay backup origins to the web app’s CSP connect-src to support failover. Allows connections to wss://relay-backup.superset.sh and https://relay-backup.superset.sh so the PostHog relay-url-override can switch without being blocked.

^{Written for commit 0b20f84. Summary will update on new commits. Review in cubic}

Summary by CodeRabbit

• Chores
  • Updated security policy configuration to enable connections to backup relay service endpoints via both WebSocket and HTTP protocols alongside existing relay infrastructure.

[stage-review]

Ready to review this PR? Stage has broken it down into 1 individual chapter for you:

	Title
1	Whitelist backup relay origins in CSP

_{Chapters generated by Stage for commit 0b20f84 on May 16, 2026 10:55pm UTC.}

[capy-ai]

Capy auto-review is paused for this organization because the monthly auto-review limit has been reached. Increase the limit or turn it off in billing settings to resume automatic reviews.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca350c4f-69fe-456a-9384-6642aed345d5

📥 Commits

Reviewing files that changed from the base of the PR and between ebe2981 and 0b20f84.

📒 Files selected for processing (1)

• apps/web/next.config.ts

---

📝 Walkthrough

Walkthrough

The web application's Next.js configuration is updated to permit relay-backup connectivity through the Content-Security-Policy connect-src directive by adding both WebSocket Secure and HTTPS origins for the relay-backup service.

Changes

Content Security Policy Update

Layer / File(s)	Summary
Add relay-backup to CSP connect-src apps/web/next.config.ts	The connect-src allowlist is extended with wss://relay-backup.superset.sh and https://relay-backup.superset.sh to enable browser connections to the relay-backup service over both WebSocket and HTTP protocols.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• superset-sh/superset#4473: Adds https://relay-backup.superset.sh and wss://relay-backup.superset.sh to apps/desktop/src/renderer/index.html's CSP connect-src, extending the same relay-backup allowlist pattern to the desktop application.
• superset-sh/superset#4577: Updates apps/web/next.config.ts's CSP connect-src to configure relay WebSocket connectivity via environment-based RELAY_URL fallback logic.

Poem

🐰 A backup relay hops in place,
Through CSP's secure embrace,
WebSocket and HTTPS now allow,
Superset's connectivity takes a bow! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding relay-backup origins to CSP connect-src directive.
Description check	✅ Passed	The description provides a clear summary, reasoning, and testing details, though it deviates from the template structure with additional auto-generated content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-csp-relay-backup

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds wss://relay-backup.superset.sh and https://relay-backup.superset.sh to the web app's CSP connect-src directive, mirroring the existing desktop allowlist so that PostHog-triggered relay failover works in the browser.

• Both WebSocket (wss://) and HTTPS origins are required: the relay is used for WebSocket terminal streaming and HTTP host-tRPC calls, exactly matching the pattern already used for the primary relay entries.
• The new entries are hardcoded unconditionally (always present, including in dev), while the primary relay entries are null in dev when RELAY_URL is unset. This is harmless — dev already permits blanket ws:/wss: — and mirrors the simpler, non-configurable nature of the backup URL.

Confidence Score: 5/5

Safe to merge — a two-line additive change to the CSP allowlist with no logic alterations.

The change correctly adds both the WebSocket and HTTPS origins for the backup relay, matching the dual-protocol pattern already in place for the primary relay. The new entries are unconditionally present (including in dev), but the dev CSP already allows blanket ws:/wss:, so there is no functional impact. No existing entries are removed or modified.

No files require special attention.

Important Files Changed

Filename	Overview
apps/web/next.config.ts	Adds two hardcoded CSP connect-src entries for the backup relay origin (wss:// and https://), correctly following the same dual-protocol pattern as the primary relay.

_{Reviews (1): Last reviewed commit: "fix(web): allow relay-backup origin in C..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[github-actions]

🚀 Preview Deployment

🔗 Preview Links

Service	Status	Link
Database (Neon)	✅	View Branch
API (Vercel)	✅	Open Preview
Web (Vercel)	✅	Open Preview
Marketing (Vercel)	✅	Open Preview
Admin (Vercel)	✅	Open Preview
Docs (Vercel)	✅	Open Preview

---

Preview updates automatically with new commits